International Law and Deterring Cyber-Attacks

Although the issue has been simmering for many years, the recent American election-related hacks by Russia have raised interest in deterrence of cyber-attacks—including whether and how they can be deterred. Two documents dedicated to the topic and well-worth reading have been published in the last month: the Defense Science Board’s Task Force Report on Cyber Deterrence (DSB Report) and Joseph Nye’s article on Deterrence and Dissuasion in Cyberspace.

They’re rich documents with a lot to digest, including a common conclusion that the U.S. government will need to rely more heavily on denial strategies over punishments in cyber compared to deterrence of other threats, and a common conclusion that U.S. deterrence strategy will necessarily vary significantly with the type of actor and type of cyber-attack. But I want to comment here on just a small piece of each: what they say about the international law of cyber-attacks and how international law fits into deterrence strategies.

The DSB Report’s most direct comment on the role of the law comes at page 14, where it recommends:

The United States must systematically develop a portfolio of both cyber and non-cyber (“whole-of-government” including diplomatic, economic, law enforcement, and military) response options to a wide range of potential cyber attacks and costly cyber intrusions. The objective should not be to develop a “cookbook” with formulaic responses, but a “playbook” that will allow DoD and other departments to ensure that there is real capability behind the U.S. cyber deterrence posture, and to be able to rapidly provide the President with a range of cyber and non-cyber response options in situations where deterrence fails.

I agree with this. The possible cyber-attack scenarios are far too diverse to pre-commit to rigid, formulaic responses. However, to date the U.S. government has been too slow in developing and vetting response options, and from a deterrence standpoint this creates perceptions of dithering and tentativeness. A more-developed “playbook” can improve response time and, by extension, credibility of responses. It can also support a clearer or more detailed declaratory policy of threatened responses to cyber-threats.

The DSB Report then goes on to say that legal clarity is important to developing and practicing such a “playbook”:

In order to support timely decision-making, the “plays” in this playbook must be in the context of a clear policy and legal framework for their employment (including policy and legal vetting and evaluation via interagency wargaming and discussion).

Big international law questions within this framework that the Report presumably has in mind include: When do cyber-attacks constitute prohibited “force” or an “armed attack” justifying self-defense (including military force) under the UN Charter? And even below those thresholds, when do cyber-attacks cross other international legal lines, such as sovereignty and non-intervention, justifying otherwise-illegal countermeasures? These and many other international law questions are important to assessing U.S. response options—not only when the U.S. may respond and with what means, but also what offensive cyber-options of its own the United States may conduct as part of its reaction.

Again, I agree with DSB Report that a “clear legal framework” would help. But we need to be specific and realistic about how clear the relevant legal framework can get.

The United States has put forth publicly some general answers to these international law questions (see, e.g., the sources cited in here). However, these and answers to many other questions will remain unsettled for a long time and will depend heavily on specific facts and context (see my own recent take on this here). Even if the U.S. Government resolves these legal questions with more clarity internally, they will remain highly contested internationally, which is important to understanding the costs and benefits of actions and opportunities for joint action with allies. The DSB Report recommendation is sound, yet it’s important to acknowledge realistic limits to legal clarity.

Nye’s article, Deterrence and Dissuasion in Cyberspace, has more to say about international law (and, more broadly, international norms) and its relationship to deterrence strategy. One of Nye’s points is that international law or norms can contribute to U.S. deterrence strategy “by imposing reputational costs that can damage an actor’s soft power beyond the value gained from a given attack.”

Whereas the DSB report is focused on the role of law internally in supporting deterrence strategy, Nye also focuses here on its role externally. Like many others who have looked at this issue, he goes on to note that imposing reputational costs for crossing legal or normative taboos requires attribution (those problems are actually less about technical capacity than about demonstrating attribution publicly and quickly, consistent with protecting sensitive intelligence sources and methods). He also argues that new international rules are more likely to be effective in limiting targets of cyber-attacks, such as certain critical infrastructure that provides services to the public, than in limiting types of cyber-tools. A big problem for norms as deterrents, however, is that the actors we are most worried about deterring may not care much about reputational costs.

Near the end of his article, Nye’s analysis of international law connects with the DSB Report’s emphasis on developing a “playbook,” for which more legal clarity is important. Nye discusses the particular challenges the United States faces in deterring cyber-attacks that do not rise to the legal threshold of “armed attack,” justifying self-defensive force. By way of poignant example:

The alleged 2016 Russian disruption of the Democratic National Convention and presidential campaign fell into a gray area that could be interpreted as a propaganda response to Secretary of State Hillary Clinton’s 2010 proclamation of a “freedom agenda” for the Internet or, more seriously, an effort to disrupt the American political process. This was not an armed attack, but it was a gray-zone political threat that one would like to deter in the future.

I think Nye understates the significant menu of options that the United States has for responding to cyber-attacks below the “armed attack” threshold, including economic/financial measures, diplomatic and law enforcement actions, cyber-operations of our own, and military actions that themselves don’t constitute force. He’s quite right, though, that the United States and other democracies currently face cyber-threats that gravely threaten national interests but that don’t fit neatly into existing legal categories.

In reading both pieces, it’s important to remember that any effort by the United States to achieve a clearer legal framework to support a deterrence strategy must be conducted simultaneously with developing a legal framework to support its own offensive cyber-operations strategy. Thinking about the requirements of effective deterrence and deducing from those requirements some legal preferences are important as part of a broader effort to develop and promote legal interpretations. But the United States is pursuing many different strategies simultaneously, and the same overall legal framework is going to apply across all of them.

Matthew Waxman is a law professor at Columbia Law School, where he co-chairs the Program on Law and National Security. He is also co-chair of the Cybersecurity Center at Columbia University’s Data Science Institute, as well as Adjunct Senior Fellow for Law and Foreign Policy at the Council on Foreign Relations. He previously served in senior policy positions at the State Department, Defense Department, and National Security Council. After graduating from Yale Law School, he clerked for Judge Joel M. Flaum of the U.S. Court of Appeals and Supreme Court Justice David H. Souter